Other symptoms:
# kinit admin
:
# ipa help user
ipa: ERROR: No valid Negotiate header in server response
This is now happening on our primary IPA server.
On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote:
I'm seeing this in /var/log/messages periodically:
systemd: Starting IPA key daemon...
ipa-dnskeysyncd: ipa : INFO LDAP bind...
ipa-dnskeysyncd: ipa : ERROR Login to LDAP server failed:
{'desc': 'Invalid credentials'}
ipa-dnskeysyncd: Traceback (most recent call last):
ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 94, in
<module>
ipa-dnskeysyncd: ldap_connection.sasl_interactive_bind_s("",
ipaldap.SASL_GSSAPI)
ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in
sasl_interactive_bind_s
ipa-dnskeysyncd: res =
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in
_apply_method_s
ipa-dnskeysyncd: return func(self,*args,**kwargs)
ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
ipa-dnskeysyncd: return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
ipa-dnskeysyncd: File
"/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
ipa-dnskeysyncd: result = func(*args,**kwargs)
ipa-dnskeysyncd: INVALID_CREDENTIALS:{'desc': 'Invalid credentials'}
systemd: ipa-dnskeysyncd.service: main process exited, code=exited,
status=1/FAILURE
systemd: Unit ipa-dnskeysyncd.service entered failed state
systemd: ipa-dnskeysyncd.service failed.
Also, my main server is now spitting this into /var/log/messages on a
regular basis:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Credential cache is empty)
Our whole development group is essential down while this is going on.
No one can log on, DNS resolution isn't working at all, Kerberos
tickets aren't working the way they should, and the IPA web UI isn't
letting me log in via Kerberos _or_ with the admin account and its
password (which _does_ work to grab the admin Kerberos ticket).
I'm very confused.
Bret
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
